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DETAILED ACTION 

1 . Claims 1-1 1 liave been amended. 

2. Claims 12-13 liave been added. 

3. Claims 1 -1 3 are pending for consideration. 

Priority 

4. Acknowledgment is made of applicant's claim for foreign priority under 35 
U.S.C. 119(a)-(d). 

Claim Objections 

5. Claim 4 is objected to because of tine following informalities: 
Regarding claim 4, the limitation " supplying alert identifiers satisfying the 

reguest and whose description cannot be refined with respect to said reguest " 
has repeated twice in this claim. Examiner interprets claim 4 as "wherein the 
alert management system (13) further responds to the request by supplying alert 
identifiers satisfying the request and whose description cannot be refined with 
respect to said request. 

Appropriate correction is required. 

Claim Rejections - 35 USC §112 

6. The following is a quotation of the second paragraph of 35 U.S.C. 1 12: 

The specification sliall conclude with one or more claims particularly pointing out and distinctly 
claiming the subject matter which the applicant regards as his invention. 
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7. Claims 1 and 12 are rejected under 35 U.S.C. 112, second paragrapli, as 
being indefinite for failing to particularly point out and distinctly claim the subject 
matter whicli applicant regards as the invention. 

8. Claims 1 and 12 recite the limitations "valued attributes" in line 6 and "the 
plurality of attribute domains" in line 8-9. There is insufficient antecedent basis 
for these limitations in these claims. 

Claim Rejections - 35 USC § 101 

9. 35 U.S.C. 101 reads as follows: 

Whoever invents or discovers any new and useful process, machine, manufacture, or 
composition of matter, or any new and useful improvement thereof, may obtain a patent 
therefor, subject to the conditions and requirements of this title. 

10. Claim 11 is rejected under 35 U.S.C. 101 because the claimed invention is 
directed to non-statutory subject matter. 

Claim 1 1 is interpreted as being purely software per se because it 
comprises merely software for manipulating data. 

Data structure not claimed as embodied in computer-readable media are 
descriptive material per se and are not statutory because they are not capable of 
causing functional change in the computer. See, e.g., Warmerdam, 33 F.3d at 
1361, 31 USPQ2d at 1760. Such claimed data structures do not define any 
structural and functional interrelationship between the data structure and other 
claimed aspects of the invention which permit the data structure's functionality to 
be realized. In contrast, a claimed computer-readable medium encoded with a 
data structure defines structural and functional interrelationship between the data 
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structure and the computer software and hardware components which permit the 
data structure's functionality to be realized, and is thus statutory. 



Claim Rejections - 35 USC § 102 

1 1 . The following is a quotation of the appropriate paragraphs of 35 
U.S.C. 102 that form the basis for the rejections under this section made in this 
Office action: 

A person shall be entitled to a patent unless - 

(a) the invention was known or used by others in this country, or patented or described in a printed 
publication in this or a foreign country, before the invention thereof by the applicant for a patent. 

12. Claims 1-13 are rejected under 35 U.S.C. 102(a) as being anticipated by 
Julisch ("Clustering Intrusion Detection Alarms to Support Root Cause Analysis"), 
hereinafter Julisch. 

Regarding claim 1, Julisch discloses a method of managing alerts (Julisch: 
pages 467-468) issued by intrusion detection sensors (11a, lib, 1 1 c) of an 
information security system (1) including an alert management system (13), each 
alert being defined by an alert identifier and an alert content, which method 
includes the following steps: associating with each of the alerts issued by the 
intrusion detection sensors (1 la, 1 lb, 1 1c) a description including a conjunction 
of valued attributes belonging to attribute domains (Julisch: page 449, paragraph 
2, "where {A1 An} is the set of alarm attributes ... alarm attributes capture 
intrinsic alarm properties, such as the source IP address or an alarm, its 
destination IP address, its alarm type (which encodes the observed attack), and it 
time-stamp"); organizing the valued attributes belonging to each attribute domain 
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into a taxonomic structure defining generalization relationships between said 
valued attributes, the plurality of attribute domains thus forming a plurality of 
taxonomic structures (Julisch: page 449, paragraphs 2-4, "dom(Ai) is the domain 
(i.e., the range of possible value) of attribute Ai" and "generalization hierarchies"); 
completing the description of each of said alerts with sets of values induced by 
the taxonomic structures on the basis of the valued attributes of said alerts to 
form complete alerts (Julisch: page 449, paragraphs 2-4, "generalized alarm"); 
and storing said complete alerts in a logic file system (21) to enable them to be 
consulted (Julisch: page 450, section 4 [ALARM-CLUSTERING PROBLEMS] 
and pages 456-457, section 5.1 and 463-465, "alarm log"). 

Regarding claim 2, Julisch further discloses wherein complete alerts are 
consulted by successively interrogating and/or browsing said complete alerts so 
that the alert management system (13) responds to a request by supplying 
pertinent valued attributes enabling a subset of complete alerts to be 
distinguished in a set of complete alerts satisfying the request in order to enable 
said request to be refined (Julisch: pages 464-465 and 467-468, section 7). 

Regarding claim 3, Julisch further discloses wherein the pertinent valued 
attributes assigned the highest priority are those that are most general, given the 
taxonomic structures (Julisch: page 464). 

Regarding claim 4, Julisch further discloses wherein the alert 
management system (13) further responds to the request by supplying alert 
identifiers satisfying the request and whose description cannot be refined with 
respect to said request (Julisch: pages 464-465 and 467-468, section 7). 
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Regarding claim 5, Julisch further discloses wherein the alert identifier is a 
pair consisting of an identifier of the intrusion detection sensor (11a, lib, 11c) 
that produces the alert and an alert serial number assigned by said sensor 
(Julisch: pages 449 and 452). 

Regarding claim 6, Julisch further discloses wherein the content of each 
alert includes a text message supplied by the corresponding intrusion detection 
sensor (1 1 a, 1 1 b, 1 1 c) (Julisch: pages 451 -452). 

Regarding claim 7, Julisch further discloses wherein each valued attribute 
includes an attribute identifier and an attribute value (Julisch: pages 449 and 
451-452). 

Regarding claim 8, Julisch further discloses wherein each attribute 
identifier is associated with one of the following attribute domains: attack domain, 
attacker identity domain, victim identity domain, and attack date domain (Julisch: 
pages 449 and 451-452). 

Regarding claim 9, Julisch further discloses wherein the description of a 
given alert is completed by recovering recursively from generalization 
relationships of the taxonomic structures a set including the more general valued 
attributes not already included in the description of another alert completed 
previously (Julisch: pages 449 and 456, last paragraph). 

Regarding claim 10, Julisch further discloses wherein the valued attributes 
in the taxonomic structure are organized in accordance with an acyclic directed 
graph (Julisch: pages 449 and 462). 



Application/Control Number: 10/583,586 Page 7 

Art Unit: 2131 

Regarding claim 1 1 , Julisch further discloses a computer program 
designed to execute the method according to claim 1 , when it is executed by the 
alert management system (13) (Julisch: page 467-468). 

Regarding claim 12, this claim has limitations that is similar to those of 
claim 1, thus it is rejected with the same rationale applied against claim 1 above. 

Regarding claim 13, Julisch further discloses Information security system 
comprising intrusion detection sensors and an alert management system 
according to claim 12 (Julisch: page 467-468). 
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Any inquiry concerning this communication or earlier communications from 
the examiner should be directed to TRANG DOAN whose telephone number is 
(571)272-0740. The examiner can normally be reached on Monday-Friday. 

If attempts to reach the examiner by telephone are unsuccessful, the 
examiner's supervisor, Ayaz Sheil<h can be reached on (571 ) 272-3795. The fax 
phone number for the organization where this application or proceeding is 
assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from 
the Patent Application Information Retrieval (PAIR) system. Status information 
for published applications may be obtained from either Private PAIR or Public 
PAIR. Status information for unpublished applications is available through 
Private PAIR only. For more information about the PAIR system, see http://pair- 
direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll- 
free). If you would like assistance from a USPTO Customer Service 
Representative or access to the automated information system, call 800-786- 
9199 (IN USA OR CANADA) or 571-272-1000. 

/Trang Doan/ 
Examiner, Art Unit 2131 
/Ayaz R. Sheikh/ 

Supervisory Patent Examiner, Art Unit 2131 



